New issue
Advanced search Search tips

Issue 875882 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 7
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

mash: Flaky startup crashes in ui::DrmThread::IsDeviceAtomic

Project Member Reported by jamescook@chromium.org, Aug 20

Issue description

Started happening late last week.

This report is automatically generated to track the following Failure:
Test: desktopui_MashLogin.
Suite: chrome-informational.
Chrome Version: 70.0.3527.0.
Build: veyron_minnie-tot-chrome-pfq-informational/R70-10979.0.0-b2858056.

Reason:
Unhandled DevtoolsTargetCrashException: Devtools target crashed.
build artifacts:
https://storage.cloud.google.com/?arg=chromeos-image-archive/veyron_minnie-tot-chrome-pfq-informational/R70-10979.0.0-b2858056.
results log: http://ubercautotest.corp.google.com/tko/retrieve_logs.cgi?job=/results/228791738-chromeos-test/chromeos4-row9-rack10-host6/debug/.
status log: http://ubercautotest.corp.google.com/tko/retrieve_logs.cgi?job=/results/228791738-chromeos-test/chromeos4-row9-rack10-host6/status.log.
job link: http://cautotest-prod/afe/#tab_id=view_job&object_id=228791738.

You may want to check the test history:
https://stainless.corp.google.com/search?test=^desktopui\_MashLogin$&first_date=2018-07-22&last_date=2018-08-19&row=model&col=build&view=matrix

CPU: arm
     ARMv1 ARM part(0x4100c0d0) features: swp,half,thumb,fastmult,vfpv2,edsp,thumbee,neon,vfpv3,tls,vfpv4,idiva,idivt
     4 CPUs

GPU: UNKNOWN

Crash reason:  SIGSEGV
Crash address: 0x0
Process uptime: not available

Thread 0 (crashed)
 0  chrome!ui::DrmThread::IsDeviceAtomic(int, bool*) [drm_device.h : 81 + 0x0]
     r0 = 0x00000000    r1 = 0x00000000    r2 = 0x00000001    r3 = 0x00000000
     r4 = 0xa64165e3    r5 = 0xacaecec0    r6 = 0x0d12f804    r7 = 0xa5c16a60
     r8 = 0x00000000    r9 = 0xa5c16af0   r10 = 0xa5c16c10   r12 = 0x0e22fab4
     fp = 0xacaecec0    sp = 0xa5c16a50    lr = 0x0693fe75    pc = 0x0693fe78
    Found by: given as instruction pointer in context
 1  chrome!ui::(anonymous namespace)::OnRunPostedTaskAndSignal(base::OnceCallback<void ()>, base::WaitableEvent*) [callback.h : 99 + 0x3]
     r4 = 0xa64165a8    r5 = 0x0eaddfc0    r6 = 0x0d12f804    r7 = 0xa5c16a70
     r8 = 0x00000000    r9 = 0xa5c16af0   r10 = 0xa5c16c10    fp = 0xacaecec0
     sp = 0xa5c16a68    pc = 0x0695211b
    Found by: call frame info
 2  chrome!base::internal::Invoker<base::internal::BindState<void (*)(base::OnceCallback<GURL ()>, std::__1::unique_ptr<GURL, std::__1::default_delete<GURL> >*), base::OnceCallback<GURL ()>, std::__1::unique_ptr<GURL, std::__1::default_delete<GURL> >*>, void ()>::RunOnce(base::internal::BindStateBase*) [bind_internal.h : 416 + 0x1]
     r4 = 0xacaecec0    r5 = 0x0e417120    r6 = 0x0d12f804    r7 = 0xa5c16a88
     r8 = 0x00000000    r9 = 0xa5c16af0   r10 = 0xa5c16c10    fp = 0xacaecec0
     sp = 0xa5c16a78    pc = 0x0646182d
    Found by: call frame info
 3  chrome!base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) [callback.h : 99 + 0x3]
     r4 = 0x0d16ed58    r5 = 0x0e417120    r6 = 0x0d12f804    r7 = 0xa5c16b30
     r8 = 0x00000000    r9 = 0xa5c16af0   r10 = 0xa5c16c10    fp = 0xacaecec0
     sp = 0xa5c16a90    pc = 0x0816a52b
    Found by: call frame info
 4  chrome!base::MessageLoop::RunTask(base::PendingTask*) [message_loop.cc : 431 + 0x5]
     r4 = 0x0d16ea34    r5 = 0xa5c16bb0    r6 = 0xa5c16ba0    r7 = 0xa5c16be0
     r8 = 0x0e1ac768    r9 = 0x0e1ac700   r10 = 0xa5c16c10    fp = 0xacaecec0
     sp = 0xa5c16b38    pc = 0x080fca71
    Found by: call frame info
 5  chrome!base::MessageLoop::DoWork() [message_loop.cc : 442 + 0x5]
     r4 = 0x0ceb3eb4    r5 = 0xa5c16c38    r6 = 0xa5c16c48    r7 = 0xa5c16d70
     r8 = 0x0e1ac78c    r9 = 0x0e1ac700   r10 = 0xa5c16cc8    fp = 0xa5c16cb0
     sp = 0xa5c16be8    pc = 0x080fd317
    Found by: call frame info
 6  chrome!base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) [message_pump_libevent.cc : 210 + 0x3]
     r4 = 0x0e2118a0    r5 = 0x0e1ac700    r6 = 0x00000000    r7 = 0xa5c16dc0
     r8 = 0x0cd67478    r9 = 0x0e2118a8   r10 = 0x00000000    fp = 0x00000000
     sp = 0xa5c16d78    pc = 0x081681d7
    Found by: call frame info
 7  chrome!base::RefCountedThreadSafe<base::TaskRunner, base::TaskRunnerTraits>::Release() const [run_loop.cc : 102 + 0x3]
     r4 = 0xa5c16df0    r5 = 0x0d16d03c    r6 = 0x0e1e8968    r7 = 0xa5c16dd0
     r8 = 0x0c730c21    r9 = 0xa5c16df0   r10 = 0x0e1ac700    fp = 0xa5c16df0
     sp = 0xa5c16dc8    pc = 0x081146f1
    Found by: call frame info
 8  chrome!base::Thread::ThreadMain() [thread.cc : 357 + 0x21]
     r4 = 0x0e1e8960    r5 = 0x0d16d03c    r6 = 0x0e1e8968    r7 = 0xa5c16e40
     r8 = 0x0c730c21    r9 = 0xa5c16df0   r10 = 0x0e1ac700    fp = 0xa5c16df0
     sp = 0xa5c16dd8    pc = 0x0813fb61
    Found by: call frame info
 9  chrome!base::(anonymous namespace)::ThreadFunc(void*) [platform_thread_posix.cc : 76 + 0x23]
     r4 = 0x0d16ddc8    r5 = 0xa5c17450    r6 = 0x0e1e53c0    r7 = 0xa5c16e58
     r8 = 0x0e1e8960    r9 = 0xa6417684   r10 = 0xa6417450    fp = 0x00000000
     sp = 0xa5c16e48    pc = 0x081654ed
    Found by: call frame info
10  libpthread-2.23.so!start_thread [pthread_create.c : 335 + 0xb]
     r4 = 0xa5c17450    r5 = 0xa6416710    r6 = 0x00000000    r7 = 0xa5c16e60
     r8 = 0xa5c16f90    r9 = 0xa6417684   r10 = 0xa6417450    fp = 0x00000000
     sp = 0xa5c16e60    pc = 0xaca93551
    Found by: call frame info
11  libc-2.23.so!clone + 0x5e
     r4 = 0xa5c17450    r5 = 0xa6416710    r6 = 0x00000000    r7 = 0x00000078
     r8 = 0xa5c16f90    r9 = 0xa6417684   r10 = 0xa6417450    fp = 0x00000000
     sp = 0xa5c16f90    pc = 0xac5fc141
    Found by: call frame info

Test history:
https://stainless.corp.google.com/search?exclude_retried=true&exclude_cts=false&exclude_non_production=true&exclude_acts=true&exclude_non_release=true&exclude_au=true&test=desktopui_MashLogin&exclude_not_run=false&row=board&col=build&view=matrix&days=14

This test just runs Chrome through the login screen with --enable-features=Mash, which runs ash out-of-process.

I think derat@ just added a suite to the Chrome PFQ that includes a similar test, so it would be good if this didn't flake.

spang, can you route this to the right person?


 
(Just to clarify, the ui.MashLogin Tast test is still informational. I'm planning to make failures count after the flakes are resolved. :-) )
Cc: dnicoara@chromium.org spang@chromium.org
Owner: dcasta...@chromium.org
Project Member

Comment 4 by bugdroid1@chromium.org, Aug 28

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4c19549247aacdc4b4b742feaab55373c21f3012

commit 4c19549247aacdc4b4b742feaab55373c21f3012
Author: Daniele Castagna <dcastagna@chromium.org>
Date: Tue Aug 28 15:32:49 2018

ozone/drm: Fix nullptr deref in IsDeviceAtomic

DrmThread::IsDeviceAtomic currently can cause a SIGSEGV since it assumes
that |drm_device| is a valid pointer.
|drm_device| device can be nullptr if the widget has been disabled.

This patch fixes the issue checking that |drm_device| is a valid pointer
before dereferencing it.

Bug:  875882 , 876385
Change-Id: I01527e9d9d294e0f98146ccd5e6d5ef70e0dfdf0
Reviewed-on: https://chromium-review.googlesource.com/1193963
Reviewed-by: Michael Spang <spang@chromium.org>
Commit-Queue: Daniele Castagna <dcastagna@chromium.org>
Cr-Commit-Position: refs/heads/master@{#586717}
[modify] https://crrev.com/4c19549247aacdc4b4b742feaab55373c21f3012/ui/ozone/platform/drm/gpu/drm_thread.cc

Project Member

Comment 5 by bugdroid1@chromium.org, Aug 28

Labels: merge-merged-3532
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/938bded2a0cb263761a6294c6198382e78e48950

commit 938bded2a0cb263761a6294c6198382e78e48950
Author: Daniele Castagna <dcastagna@chromium.org>
Date: Tue Aug 28 23:42:07 2018

ozone/drm: Fix nullptr deref in IsDeviceAtomic

DrmThread::IsDeviceAtomic currently can cause a SIGSEGV since it assumes
that |drm_device| is a valid pointer.
|drm_device| device can be nullptr if the widget has been disabled.

This patch fixes the issue checking that |drm_device| is a valid pointer
before dereferencing it.

Bug:  875882 , 876385
Change-Id: I01527e9d9d294e0f98146ccd5e6d5ef70e0dfdf0
Reviewed-on: https://chromium-review.googlesource.com/1193963
Reviewed-by: Michael Spang <spang@chromium.org>
Commit-Queue: Daniele Castagna <dcastagna@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#586717}(cherry picked from commit 4c19549247aacdc4b4b742feaab55373c21f3012)
Reviewed-on: https://chromium-review.googlesource.com/1194975
Reviewed-by: Bernie Thompson <bhthompson@chromium.org>
Cr-Commit-Position: refs/branch-heads/3532@{#11}
Cr-Branched-From: cae5f8710a9652a6f1716812fbedfdd59fced679-refs/heads/master@{#585632}
[modify] https://crrev.com/938bded2a0cb263761a6294c6198382e78e48950/ui/ozone/platform/drm/gpu/drm_thread.cc

Status: Fixed (was: Assigned)

Sign in to add a comment